Are takedowns an exercise in futility?

The first quarter of 2010 witnessed multiple takedown efforts aimed at the Lethic, Waledac, Mariposa and Zeus botnets. Lethic, which specialized in spam for counterfeit goods, pharmaceuticals and degree-less diplomas, was shut down by Neustar in January. In February, Microsoft obtained a court order allowing Verisign and other registrars to withdraw the domains used by the Waledac botnet.

But these takedowns appear to have had little or no effect on spam levels, with statistics from Arbor Networks, Trend Micro, Commtouch and MessageLabs all indicating either steady or increasing spam levels month over month in the first quarter. For example, MessageLabs reported spam levels of 89.4% in February – a 5.5% increase on January totals – and 90.7% in March, a 1.4% increase on February totals.

The effects of the Mariposa and Zeus takedowns were equally disappointing. Within days of announcing the arrest of Mariposa’s bot herders, Panda Labs (which assisted in the botnet’s takedown) reported on new Mariposa activity from a different set of attackers.

Likewise, efforts aimed at de-peering the Troyak-AS ISP, which provides service to a segment of the Zeus command and control (C&C) servers, proved to be a virtual game of whack-a-mole. Less than 24 hours after being de-peered by its latest upstream provider, Troyak-AS resumed service under a new upstream provider, and this pattern was repeated numerous times.

These less than dramatic results beg the (multi)-million-dollar question: are such takedown efforts an exercise in futility?

Certainly if one focuses only on short-term statistics, the answer would appear to be ‘yes’. However, if one focuses on some of the precedents set during the first quarter, tangible long-term impact may become a reality.

In the case of Lethic, Waledac and Zeus the takedown efforts engaged the service providers, hosts and domain registrars. This not only sets an important legal precedent facilitating future takedown efforts, but also shifts the responsibility – and some of the costs – onto those who (unknowingly or otherwise) enable criminal activity.

Consider the situation with Troyak-AS and the Zeus C&C serviced by that provider. An analysis of ScanSafe traffic involving the domains and IP addresses listed in ZeusTracker reveals that the traffic serviced by Troyak-AS in the first quarter of 2010 made up 48.5% of all Zeus traffic. Thus, a successful shutdown of that segment could lead to significant disruption and financial losses for Zeus bot herders.

Perhaps most importantly, though, Troyak-AS also suffers a financial loss. It is presumed that costs were incurred each time Troyak-AS moved to a new upstream provider. Assuming the ISP serviced legitimate businesses as well as Zeus, it is also quite possible that it suffered a loss of customers due to its inability to maintain service. The combination of increased costs and customer loss could cause such a service provider to re-evaluate their business model.

Currently, there can be a considerable financial incentive for so-called bulletproof hosts to turn a blind eye to malicious activity occurring through their services. And there is often little incentive for domain registrars or hosting providers to make it more difficult for criminals to obtain services. But if efforts continue to engage these providers – and where necessary hold them accountable – at some point the cost of turning a blind eye may become unpalatable.

The punches delivered in the first quarter may not have resulted in a technical knockout, but at the very least we’ve winded the bot herders and set a precedent for the enablers. Long-term success depends on continued concerted takedown efforts that engage the providers and cause the enabling of criminal activities to become a cost centre rather than a profit centre. We should support – and not criticize – these types of takedown efforts because we are all reaching for the same goal: better security for all.

Latest articles:

Bulletin Archive